Phishing at the confluence of digital identity and Wi-Fi access

When we think of phishing, most of us imagine a conventional
phishing attack that begins with a legitimate-looking email. It might appear to
come from an e-commerce site with which you happen to do business. “We’ve lost
your credit card number. Please follow the link to re-enter it,” the email says.
But the link leads to a malicious site where you enter your credit card number,
press submit, and you have just been phished by hoody-clad hackers.

Even more likely in modern phishing attacks, the email may
trick you into giving up your digital identity—for example your Gmail account. Many
legitimate sites give you the option to log in using social login. What’s to
stop a criminal site from asking for your credentials in the same way? The
answer: nothing. (Best to be sure that you only use social login on sites that
you’re sure you can trust.)

Not every phishing attack starts with a spam email, though.
Wi-Fi phishing is analogous to conventional phishing, and the stakes are just
as high—or even higher. To understand how this works, let’s begin at the
beginning.

Rogue access points and evil twins

A rogue access point is an AP that someone has installed on
the network without the approval of IT. It could represent something innocently
misguided, like a user trying to extend Wi-Fi range. (Users should contact IT
teams for that.) Or a rogue AP could be set up with malicious intent.

An “evil twin” access point is a special variety of rogue
access point that attackers can use for nefarious purposes. Every evil twin is
a rogue, but not every rogue is an evil twin. The evil twin impersonates a
legitimate access point and helps attackers compromise your network. As with
many cyber-attacks, user behavior makes this possible.

Attackers can force users off the access point and trick them into associating with the evil twin. This is how a Wi-Fi phishing attack starts. The evil twin can ask them to enter the pre-shared key into a fake login portal. To be clear, the user enters the actual credential into a fake portal. This does not seem unusual to users, because they have probably experienced having to re-enter credentials for network access before. In this scenario, doing so means handing over the Wi-Fi password or user credentials to the attacker, who can then use it to gain access to your network.

Where Wi-Fi phishing meets digital identity

Attackers can easily use the same technique to compromise
digital identity within any IT environment. Suppose that the attacker asks your
end users to enter their enterprise single sign-on credentials to regain access
to the network. As an IT professional, you probably wouldn’t fall for that, but
some of your users might. The more users you have, the more likely someone will
fall victim.

Once the user has handed over his or her credentials, a
world of opportunities opens for the hackers. Organizations typically leverage
cloud-based file synch and share services. Customer relationship management
(CRM) systems live in the cloud. Enterprise SSO platforms allow users—or
hackers that have compromised their credentials—to access both. So, what began
with a Wi-Fi hack can easily end in a massive data breach.

This scenario can play out even with a garden-variety rogue
that is not an evil twin. The AP doesn’t have to be impersonating a legitimate
access point to get a user to compromise his or her digital identity. Have you
ever wondered whether Wi-Fi sources in public locations are legitimate? This vendor video shows how attackers
can compromise digital identities when they target unsuspecting users (in this
case members of the U.K. Parliament—incidentally using a VPN service when
accessing unsecured public Wi-Fi is a good tip). The same thing can happen in
an enterprise environment when users connect to a malicious rogue AP, only the identity
compromised might imperil your confidential data.

How can you combat Wi-Fi phishing, evil twins and other rogue APs?

Fortunately, you can take steps to protect your users and data from these scenarios. Your first line of defense against rogue access points is the wireless intrusion detection and prevention capability provided as part of your wireless LAN.

You can also take steps to avoid SSID proliferation, which
will make it easier to spot rogues in your environment. Many IT environments
become cluttered with SSIDs as IT teams use this as a mechanism to provide
differential levels of access to different users and groups of users. Best
practice: don’t do this. Employ a system for centrally defining and managing
policies for network access.

By taking steps to make sure that users can authenticate reliably and seamlessly to a legitimate source of connectivity, you can also make it less likely that they will seek out a malicious access point, should one be within range. Digital certificates as the basis for network authentication can help here. A certificate on the device can also protect against devices connecting to evil twin APs, should a sophisticated attacker try and spoof a legitimate AP. Ruckus Cloudpath Enrollment System is a great way to roll out digital certificates for your users. It also addresses the security shortcomings of default methods of authentication that you may be using now.

If there is no PSK to divulge, there is also no risk that your users will divulge it. A secure onboarding and authentication approach based upon digital certificates obviates the need for conventional PSKs as a mechanism for network access. You can also use dynamic pre-shared keys, which are unique to each user, for guest access. Guests typically get internet access only, with no access to sensitive internal resources.

Last, but not least, user education is always a key to
avoiding any kind of attack on your network, users and data. Take measures to
educate stakeholders to be careful about what Wi-Fi sources they connect to and
what information they enter when they do.